Ruleset Update Summary - 2025/04/14 - v10904

Summary:

76 new OPEN, 90 new PRO (76 + 14)

Thanks @naumovax


Added rules:

Open:

  • 2061509 - ET INFO DYNAMIC_DNS Query to a *.inoa .cl domain (info.rules)
  • 2061510 - ET INFO DYNAMIC_DNS HTTP Request to a *.inoa .cl domain (info.rules)
  • 2061511 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aquesolp .run) (malware.rules)
  • 2061512 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (aquesolp .run) in TLS SNI (malware.rules)
  • 2061513 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (astroset .top) (malware.rules)
  • 2061514 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (astroset .top) in TLS SNI (malware.rules)
  • 2061515 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (jawdedmirror .run) (malware.rules)
  • 2061516 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (jawdedmirror .run) in TLS SNI (malware.rules)
  • 2061517 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (legislatiu .cfd) (malware.rules)
  • 2061518 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (legislatiu .cfd) in TLS SNI (malware.rules)
  • 2061519 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lonfgshadow .live) (malware.rules)
  • 2061520 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lonfgshadow .live) in TLS SNI (malware.rules)
  • 2061521 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nighetwhisper .top) (malware.rules)
  • 2061522 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (nighetwhisper .top) in TLS SNI (malware.rules)
  • 2061523 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (owlflright .digital) (malware.rules)
  • 2061524 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (owlflright .digital) in TLS SNI (malware.rules)
  • 2061525 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pastoralkyu .click) (malware.rules)
  • 2061526 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pastoralkyu .click) in TLS SNI (malware.rules)
  • 2061527 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (qualityow .store) (malware.rules)
  • 2061528 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (qualityow .store) in TLS SNI (malware.rules)
  • 2061529 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vqaliantheart .live) (malware.rules)
  • 2061530 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vqaliantheart .live) in TLS SNI (malware.rules)
  • 2061531 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (*.digital-odyssey .shop) (malware.rules)
  • 2061532 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (*.digital-odyssey .shop) in TLS SNI (malware.rules)
  • 2061533 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dryguitttaow .shop) (malware.rules)
  • 2061534 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (dryguitttaow .shop) in TLS SNI (malware.rules)
  • 2061535 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (*.culture-quest .shop) (malware.rules)
  • 2061536 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (*.culture-quest .shop) in TLS SNI (malware.rules)
  • 2061537 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fairycity .shop) (malware.rules)
  • 2061538 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fairycity .shop) in TLS SNI (malware.rules)
  • 2061539 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (throaatyinpak .site) (malware.rules)
  • 2061540 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (throaatyinpak .site) in TLS SNI (malware.rules)
  • 2061541 - ET WEB_SPECIFIC_APPS Fortinet FortiSwitch Unauthenticated Unverified Password Change (CVE-2024-48887) (web_specific_apps.rules)
  • 2061542 - ET MALWARE DuvetStealer C2 (send-zip) Traffic Outbound (malware.rules)
  • 2061543 - ET MALWARE DuvetStealer C2 (send-token) Traffic Outbound (malware.rules)
  • 2061544 - ET MALWARE DuvetStealer Related Domain (duvetstealer .com) in DNS Lookup (malware.rules)
  • 2061545 - ET MALWARE Specter Insight Beacon CnC Domain in DNS Lookup (identity-shield .org) (malware.rules)
  • 2061546 - ET MALWARE Observed Specter Insight Beacon Domain (identity-shield .org) in TLS SNI (malware.rules)
  • 2061547 - ET WEB_SERVER SonicWall SRA Post-Auth viewcert CGI Command Injection (CVE-2016-9684) (web_server.rules)
  • 2061548 - ET WEB_SERVER SonicWall SRA diagnostics CGI Command Injection (CVE-2016-9682) M1 (web_server.rules)
  • 2061549 - ET WEB_SERVER SonicWall SRA diagnostics CGI Command Injection (CVE-2016-9682) M2 (web_server.rules)
  • 2061550 - ET WEB_SERVER SonicWall SRA Post-Auth gencsr CGI Command Injection (web_server.rules)
  • 2061551 - ET MALWARE Specter Insight Beacon CnC Checkin M2 (malware.rules)
  • 2061552 - ET MALWARE Specter Insight Beacon CnC Checkin M3 (malware.rules)
  • 2061553 - ET WEB_SPECIFIC_APPS D-Link DI-8100 auth.asp callback Parameter Buffer Overflow Attempt (CVE-2025-3538) (web_specific_apps.rules)
  • 2061554 - ET WEB_SERVER SonicWall SMA Unauthenticated sonicfiles Confused Deputy (CVE-2021-20042) (web_server.rules)
  • 2061555 - ET INFO DYNAMIC_DNS Query to a *.kazoodle .com domain (info.rules)
  • 2061556 - ET INFO DYNAMIC_DNS HTTP Request to a *.kazoodle .com domain (info.rules)
  • 2061557 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (timerlesssaga .run) (malware.rules)
  • 2061558 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (timerlesssaga .run) in TLS SNI (malware.rules)
  • 2061559 - ET WEB_SERVER SonicWall SMA Unauthenticated sonicfiles CPU Exhaustion (CVE-2021-20041) (web_server.rules)
  • 2061560 - ET MALWARE BlankGrabber New Victim Checkin/Exfil (POST) (malware.rules)
  • 2061561 - ET MALWARE DeerStealer CnC Domain in DNS Lookup (foggy-doggy .site) (malware.rules)
  • 2061562 - ET MALWARE DeerStealer CnC Domain in DNS Lookup (velvet5nssrv .shop) (malware.rules)
  • 2061563 - ET MALWARE DeerStealer CnC Domain in DNS Lookup (cdn-upload-files .buzz) (malware.rules)
  • 2061564 - ET MALWARE DeerStealer CnC Domain in DNS Lookup (buildit-right .buzz) (malware.rules)
  • 2061565 - ET MALWARE DeerStealer CnC Domain in DNS Lookup (go-cars-cheaprest .cfd) (malware.rules)
  • 2061566 - ET MALWARE DeerStealer CnC Domain in DNS Lookup (world-of-guides .buzz) (malware.rules)
  • 2061567 - ET MALWARE DeerStealer CnC Domain in DNS Lookup (sonorous-horizon-cfd .cfd) (malware.rules)
  • 2061568 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (iqronrose .top) (malware.rules)
  • 2061569 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (iqronrose .top in TLS SNI) (malware.rules)
  • 2061570 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thiefbshadow .run) (malware.rules)
  • 2061571 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (thiefbshadow .run in TLS SNI) (malware.rules)
  • 2061572 - ET MALWARE Observed DeerStealer Domain (foggy-doggy .site) in TLS SNI (malware.rules)
  • 2061573 - ET MALWARE Observed DeerStealer Domain (velvet5nssrv .shop) in TLS SNI (malware.rules)
  • 2061574 - ET MALWARE Observed DeerStealer Domain (cdn-upload-files .buzz) in TLS SNI (malware.rules)
  • 2061575 - ET MALWARE Observed DeerStealer Domain (buildit-right .buzz) in TLS SNI (malware.rules)
  • 2061576 - ET MALWARE Observed DeerStealer Domain (go-cars-cheaprest .cfd) in TLS SNI (malware.rules)
  • 2061577 - ET MALWARE Observed DeerStealer Domain (world-of-guides .buzz) in TLS SNI (malware.rules)
  • 2061578 - ET MALWARE Observed DeerStealer Domain (sonorous-horizon-cfd .cfd) in TLS SNI (malware.rules)
  • 2061579 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (jagsrus .com) (exploit_kit.rules)
  • 2061580 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (jagsrus .com) (exploit_kit.rules)
  • 2061581 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (uochut .shop) (exploit_kit.rules)
  • 2061582 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (uochut .shop) (exploit_kit.rules)
  • 2061583 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (www .chamberscertifiedbookkeeping .com) (malware.rules)
  • 2061584 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (www .chamberscertifiedbookkeeping .com) (malware.rules)

Pro:

  • 2861125 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2861126 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2861127 - ETPRO MALWARE Observed Malicious SSL/TLS Certificate (DCRAT) (malware.rules)
  • 2861128 - ETPRO MALWARE Observed Malicious SSL/TLS Certificate (DCRAT Loader Panel) (malware.rules)
  • 2861129 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2861130 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2861131 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2861132 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2861133 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2861134 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2861135 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2861136 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2861137 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2861138 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)